An exploit has been posted for the "mcpuk" file manager that we're shipping with FCKeditor in the Achievo versions 1.2.0 till 1.3.2. The exploit allows an attacker to upload and execute arbitrary code.
While FCKeditor is not used in Achievo, this exploit works even when FCKeditor is disabled, as it calls the vulnerable file directly.
For people who can't upgrade to Achievo 1.3.3 because of modules that don't work with the latest version we advice to remove the file manager manually.
To remove the file manager, go to the 'atk/attributes/fck/editor' directory and remove the entire 'filemanager' subdirectory. Then, you should disable the file manager in the FCKeditor configuration file, 'fckconfig.js' (in atk/attributes/fck). It contains the following three options, all of which should be set to "false" to disable the file manager: